Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Bruce66423 writes with news of an electronic attack believed to affect at least five U.S. banking institutions this month, including JP Morgan, now being investigated by the FBI. According to the Independent, The attack on JP Morgan reportedly resulted in the loss of “gigabytes of sensitive data” that could have involved customer and employee information. It is said to have been of a level of sophistication beyond ordinary criminals, leading to speculation of a state link. The FBI is thought to be investigating whether there is a connection to Russia. American-Russian relations continue to be fraught amid the crisis in Ukraine, with sanctions ramped up.
Bruce66423 asks "The quality of the attack, which appears to have led to 'gigabytes' of data being lost, is raising the prospect of a state being the source. The present culprit suggested is Russia... why the assumption it's not China — just because China isn't invading the Ukraine at the moment?" News of the attack is also at the New York Times, which notes Earlier this year, iSight Partners, a security firm in Dallas that provides intelligence on online threats, warned companies that they should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions. But Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that works with banks, said that it would be “premature” to suggest the attacks were motivated by sanctions.

Yeah, what evildoers, giving Russia a slap on the wrist for the petty offense of invading and taking over part of another country that had insolently decided to no longer be under Russia's thumb. Next up, the evil tyrants in American and Europe will send Putin a sternly worded letter! Maybe he won't even get a Christmas card from Biden this year!

You mean like how the US carved Panama out of Colombia, or Kosovo out of Serbia? Or the rebelliions they supported in Lybia, Syria, and god knows where else. I'm not even including just taking over a country lock,stock and barrel, or just bombing it back to the stone age here.

I even remember the Russians warning the US 5-10 years ago that their decision to violate another countries soverignity and international law will bite them in the ass down the line. And lo-and-behold, here we are.

For fucks sake it doesn't do that, either. That's not the question. There is no suggestion that the attackers simply lumbered across the data by going to http://www.chase.com./ [www.chase.com] They probably (based on the patterns of most recent attacks) used spear phishing across a huge section of the employee population, then individually targeted each mark that fell into the trap for maximum leverage on gaining external access.

You mean like my bank account statement, balance, my sign in, you know, things almost every American today access everyday from their banks? I don't know about you, but, I access those things (data) via the internet facing servers provided for me by my bank.

The fear and war mongering is coming from all fronts currently. For a decade it was mostly middle east. Now they are ratcheting up the propaganda against Russia. Partially due to people realizing that the US is training and arming the "terrorists" in the middle east causing many of the problems, and partially due to needing a bigger threat. So yes, people are getting wise to the games. John Kerry and his constant screaming for a white cat has become blatantly obvious.

Sorry, but I have to call you out on that last. I work for a third party that holds much data for Chase. They aren't slacking on security. They audit and poke us all the time, to make sure stuff like this is encrypted at rest. My first thought is an inside job, before all the conspiracy theories. That's the easiest way in. Just bribe some sysadmin, or find one to blackmail.

How many times will we hear a claim of "Russia invaded the Ukraine" and have that proven false before people ignore it completely?

So, just out of curiosity, what do you get out of spinning your particular flavor of nonsense? Who benefits from you trying to convince people that - despite what they can see with their own eyes - Russia didn't just annex Crimea? That columns of Russian armor with their insignia painted over didn't just roll across the border into southeast Ukraine? Your contention has to be that those events didn't actually happen, despite untold thousands of witnesses pointing out the exact opposite. So, what's your poi

Crimea voted with a 90% margin to annex from Ukraine, this was not "Russia" doing anything. This vote happened after a bloody and violent coup in Ukraine. The voting process has not been demonstrated to be incorrect by anyone, the fact that they annexed at all is what is questioned.

If you want to play the game and cry foul, you need make sure you account for US involvement in Libya, Egypt, and every other country where we have cried foul after a vote goes against US interests. This is not something recen

Every time I see one of these things I want to go look up the quote from 1984 where is says something along the lines of "we were always at war with Eurasia or Oceana". Over the years it has really become ridiculous. Even in the 80's when we sort of had peace we were fear mongering about Russia.
Over the past 15 years we've been at war in Afghanistan and Iraq. We're not currently in Iraq, but just getting into that should have been foreseen as a bad idea. I don't think any country has had luck in a two

Why does the FBI get involved? is it because the events span multiple states, or because the banks have so much clout? If this had happened to google or microsoft, for example, would the FBI get involved?

If it crosses state lines, and/or international borders, then the FBI gets involved. Also, if the crime is highly technical, and requires specific expertise, the FBI often gets involved as well (since the police dept in city/state X might not have the same level of capability).

The FBI also uses the excuse that the crime *might* have crossed a state line or border. I expect at some time in the future they will add, "The crime may have affected interstate commerce or involved items or materials that may have crossed a state line."

Why does the FBI get involved? is it because the events span multiple states, or because the banks have so much clout? If this had happened to google or microsoft, for example, would the FBI get involved?

The FBI will exercise its power whenever it can, but almost always only if oligarchs are involved. Sure, they can't avoid the bad PR of ignoring a kidnapping, but if Grandma's money gets stolen because her paypal account is hacked, then don't expect her to get any help - only the institutions that are politically connected yet could afford their own investigation get that kind of help (while Grandma is essentially helpless). They'll excuse it by saying "oh, we can only help if the dollar amount exceeds $X because we have limited resources" but what that really means is they only help rich enough people, who (shocker) also tend to be the ones capable of making campaign donations. The help is means-tested, but not in the way one might expect.

In various roles I've heard from local chiefs of police who are trying to help out various citizens, just because there is no other option for them. It's not uniform at all, but investigating online crimes is not what those guys have training for.

If somebody here has had FBI help for small-dollar crimes where that was their only option, then I'd love to hear counterexamples.

Yea pretty much this.
The FBI gets involved because they have more clout overseas to get the perpetrator arrested. The organization hacked by itself doesn't have much. And the FBI has more potential access to NSA data to find the perp in the first place. The FBI regularly gets involved in wire fraud and bank related cases that cross borders. They have a cyber investigation division for this sort of thing.

Like Bill said though, grandma's $20,000 life savings whisked off to Nigeria isn't likely to raise

Back in the mid-90's, when I just getting started, the web development company I was working for in Chicago got hacked via some remote exploit in IRIX. It was a small business with only six people, but the local FBI branch did send an agent over to collect information when we notified them of the breach.

Why does the FBI get involved? is it because the events span multiple states, or because the banks have so much clout? If this had happened to google or microsoft, for example, would the FBI get involved?

Simply put, the FBI is the investigator of last resort. Local law enforcement (even in large cities like NYC where JPMC is based) are woefully ill-equipped to investigate this sort of thing.

Cyber washes over so much of the actual problem with these companies. it implies some val kilmer secret agent jack bauer bullshit that does not exist in practical terms as the situation applies to entities like Chase. Its a convenient means of misdirecting attention at best.
Lets take a step back and call this what it actually was. Chase involuntarily discharged sensitive information about employees and customers. We can name chase because its too big to fail, but four other banks were part of this incident and we cant name them because to do so would cause egregious harm to their market reputation and force them to spend a pittance on re-issuing credit/debit cards. Chase will work to scapegoat this problem ad infinitum to the nearest foreign superpower that has been demonized/sanctified by politicians for this purpose and business will continue as usual. Chase will not accept liability for its shit-tier software, security practices, or disinterest in its customers and clients because it would harm the largest bank in the world and perhaps shave a sliver of profit off this quarter.

This is the ACTUAL summary of the article. At the very least, this is the summary that *should* be posted to the Slashdot, that translates the shit-speak the media writes into technical jargon that Slashdot readers should expect from "news for nerds".

Otherwise Slashdot is a mere shill for other crap media with their crap reporting with zero journalistic integrity. Facts be damned, protect the status quo.

Imagine that a bunch of soldiers stormed the front door to their datacenter with APCs, tanks, and artillery support. They then removed hard drives and proceeded across the border to some other country. Would you consider this a bank security problem?

Banks don't have this problem because the government provides physical security against these kinds of threats. Sure, the bank is expected to lock the doors and have some guards, but they are

I'll bet all my credit balance that they probably learned to use a malware generator right to just PDFed the clicktomaniac back-office, and that even if the paydata was air-gapped they're leaking USB drives all over the place.

A firewall which is more than just an occasional inconvenience has to stop any data which it can't compare to its list of secrets which may not be leaked. - That is at least what one of the firewall's tasks used to be, but none which did this were sold, apparently because they were ju

Weird assumption that you could ditch the air gap, AC... This firewall is for the data that must inevitably bridge the gap. You only allow a few protocols through it and you know how those protocols behave. The list of secrets isn't one of eternal taboos, but one which is used to keep track of when to allow through what. - It's not like the grand gate FW at your network perimeter.

To get data through it you should need to know what the FW expects to see. Assuming an attacker somehow gets arbitrary execution

crime syndicates are just as resourceful, if not more so, than state actors. To assume that it is a state actor because you did not think of the attack vector first is pretty dumb. in fact, trying to assert any attribution to cybercrime/intelligence is dumb.

As far as I'm concerned, why just JP? If the bad guys have balls, how about Wells Fargo? Better yet, if the bad guys are not just closet girly girls; Why not go after the data base that holds the home loans of the U.S. and all of its backups. Yep, I smell fish, 3 days in the sun.

I didn't see any evidence of Russia being involved, other than gross speculation. Meanwhile, the NYT article states the researchers believe the malware was produced by the same people who made Stuxnet and Flame. That points to the US and Israel, not Russia.

What if such cyber attacks are a form of misdirection or rather click-bait? Here's the scenario: launch a cyber attack on a bank but you're really not interested in any data you might get or rather the attack makes the target think that you're after data. The target then tells its customers to change their passwords. It's only then that the attacker gets what their after i.e. account holders' NEW passwords.

At least that's the impression I get by reading the news. I can't remember the last time I heard an attack described as "simple" or "straightforward." It's never "the hackers just tried a bunch of words until one of them worked," or "turns out that if you type '); then a computer will often happily do whatever you tell it," or "if you give it a very long list of letters, sometimes the computer will start doing whatever you tell it." No, it's "the hackers used a sophisticated technique to plow through lay

When speaking about the very banks that helped cause the global financial meltdown of 2008, I seriously doubt any attack could ever pose a larger threat than the insider threat that runs Too Big To Fail.

We work with JPMorgan. We host hundreds of terabytes of sensitive data for them.

They take information security more seriously than any other organization that we work with, and we work with a number of Fortune 50 corporations, tech companies, and the United States government.

If they are getting hacked, it is not due to a lack of effort or competence on the part of their risk management and security teams. All of the common complaints that get voiced here about companies not taking security seriously, abou

We work with JPMorgan. We host hundreds of terabytes of sensitive data for them.

They take information security more seriously than any other organization that we work with, and we work with a number of Fortune 50 corporations, tech companies, and the United States government.

If they are getting hacked, it is not due to a lack of effort or competence on the part of their risk management and security teams. All of the common complaints that get voiced here about companies not taking security seriously, about companies not spending money on security, about PHBs not getting security, are not applicable to JPMorgan. Those people get it. I do not say that lightly. There are plenty of equally large financial institutions and organizations with similar amounts of resources who do not spend even a quarter of the effort on securing their data that JPMorgan does.

As a client, they are a serious pain the ass to work with. But at the end of the day, their security controls and risk management processes are heavily weighted towards security at all costs, ease of use / access be damned.

I have a similar relationship with JPMC. However, just because they force their vendors to eat the dog food doesn't mean that they are as well...